Tor: FBI Paid Carnegie Mellon $1 Million to Expose Users

According to the Tor Project, the FBI paid researchers at Carnegie Mellon University to launch an attack on the service last year in an effort to expose some of its users.

The anonymizing service has written a blog post about its findings:

“The Tor Project has learned more about last year’s attack by Carnegie Mellon researchers on the hidden service subsystem,” begins the post. “Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes.”

As reported by Ars Technica, a Homeland Security search warrant affidavit reveals that between January and July of last year, federal law enforcement officials received a “source of information” that gave them “particular IP addresses” of Tor users who had accessed Silk Road 2.0.

Several months later, federal authorities leveraged the intelligence they had obtained to conduct Operation Onymous, in which they seized some 300 dark web websites, including Silk Road 2.0, and arrested dozens of individuals.

One of those persons arrested was Brian Richard Farrell, aka “DoctorClu”–a staff member on the Silk Road 2.0 marketplace.

Up until recently, journalists could only speculate the identity of the FBI’s Source of Information that provided the Bureau with approximately 78 IP addresses of users who had accessed a vendor on Silk Road 2.0, one of which led authorities to Farrell’s residence.

A motion recently filed in Farrell’s case now reveals the truth:

“On October 12, 2015, the government provided defense counsel a letter indicating that Mr. Farrell’s involvement with Silk Road 2.0 was identified based on information obtained by a ‘university-based research institute’ that operated its own computers on the anonymous network used by Silk Road 2.0,” the motion reads, as reported by Motherboard.

This piece of information has all but confirmed to Tor the involvement of Carnegie Mellon.

When staff persons at the Tor Project contacted Carnegie Mellon for comment on its findings, the university cited a lack of evidence.

“I’d like to see the substantiation for their claim,” said Ed Desautels, a staffer in the public relations department of the university’s Software Engineering Institute. “I’m not aware of any payment.”

According to WIRED, Tor had indeed identified Carnegie Mellon as the source of the attack by pinpointing servers running on its network. When it questioned the university about this activity, the servers disappeared, and Carnegie Mellon did not offer any comment.